Redundant, self-checking, self-organizing control system

ABSTRACT

A self-organizing control system having a plurality of selforganizing controllers acting in parallel to provide actuation signals for plant control. The controllers are constantly monitored to locate faulty controllers. When one controller does not compare with the others, it is initially coerced to operate correctly and, after a predetermined period, if correct operation is not provided, the faulty controller is removed from the system. In one embodiment, an odd number of controllers is always in the system to provide control on a majority basis. Therefore, the removal of a faulty controller will require the removal of an operating controller as well.

0 United States Patent in] 3,593,307

[72] Inventors James Reid Gouge,, lr. 3,460,096 8/1969 Barron 340/1725 Views; 1 3,519,998 7/1970 Barron 340/1725 Robert L. Barron, Burke. both 01, Va. 2,803,703 8/1957 Sherwin 340/1725 X [21] Appl. No. 761,162 3,348,197 10/1967 Akers,.lr.et a1. 340/1725 X [22] Filed Sept. 20, 1968 3,037,698 6/1962 Saxenmeyer 235/153 1 Pfllfmd My OTHER REFERENCES Amp, an" Teoste, R. Design of a Repairable Redundant Computer. 1N IRE TRANSACTIONS ON ELECTRONIC COMPUTERS Vol. EC-l I, No. 5; October, 1962; p.643- 649.

Primary Examiner-Paul J. Henon I54] REDUNDANT, SELFCHECKING' SELF. Assistant Examiner-Melvin B. Chapnick oacnurzmc CONTROL SYSTEM yy M Canter 18 Claims, 5 Drawing Flgs.

[$2] U.S.Cl 340/l72.$, ABSTRACT; A self-organizing control system having a plu- 340/1461 rality of selfiorganizing controllers acting in parallel to pro- [51] Ill. G06 vide actuation signals for plant control. The controllers are Field olsell'dl 235/153, constantly monitored to locate faulty controllers. When one 1 /1 controller does not compare with the others, it is initially 307/204 coerced to operate correctly and, after a predetermined period, it correct operation is not provided, the faulty conlsm CM troller is removed from the system. In one embodiment an UNITED STATES PATENTS odd number of controllers is always in the system to provide 3,309,571 3/1967 Gilker 317/22 control on a majority basis. Therefore, the removal of a faulty 3,315,127 4/1967 Lenz 317/22 controller will require the removal of an operating controller 111,335,403 8/1967 Mann et al IMO/146.1 as well.

PRFORMANCE ASSESSMENT 23 I J w VI RCL c l 1 Ew U ACTUATlON CONTROL 39 29 LOGIC comp LOGIC 5 l3 9 2S P! I V: HCL; D D 1 4F 01! I Z 3 U2 .M- m Z 3 V1 (L3 Z & PA; 09 U] 31 i PLANT 9 l ,r A .smsoas l flifi PATENTEUJULIEIIS?! 3593 307 SHEET 1 UF 3 PERFORMANCE ASSESSMENT 23 3 u n c f I 2 PA. on

ACTUATION CONTROL 29 LOGIC P. comp LOGIC 5 \3 9 *9; e2 v1 Au, 3 *H 2 PA, on as 27 e 2| u Z \3 PA V3 A:

P3 PLANT /9 If X M smsons I fA/VENTOES James Eclo GOUGE 3:.

P065: L. Brannon g 0,

PATENTED JUL 1 a |97| 3' 593 3307 saw 2 or 3 [/VVi/VTOES James Rem Gauss, IR.

@0652 L. BARRON 3 ,593 ,3 07 1 2 H0. 2 is a circuit of a portion of the comparison logic block REDUNDANT, SELF-CHECKING. SELF-ORGANIZING of FIG. I;

CON'I'IOL SYST M FIG. 3 isa circuit diagram of the warning and failure indica- This invention relates to a redundant. self-checking, self-ortorof the present invention; W 9; 7 re specifically, to plural self- 5 FIG. 4 is a circuit diagram of the disconnect circuit of the and of comparing the behavior of each controller with the other FIG 5 ts a circuit diagram of the remainder of the disconself-organizing controllers to determine malfunction thereof nect circuitry and the wetghtlng circuitry controlled by the on a majority vote basis and eliminate malfunctioning controldisconnect circuitry of FIG. 4 and comprising the summing lers from the system. lo circuit for providing the U, signal of F IG. 1.

Self-organizing control 'systems have recently been in- Referring now to FIG. I, there is shown a block diagram of troduced tnto the art and provide the advantages of highthe preferred embodiment of the present Invention. The speed self-organin'ng control requiring a minimum ot'informasystem includes an input command signal C and an output tion storage and capable of single or multiple goal and single channel control signal U for controlling the plant i. It is apor multiple actuator control in a plant under control wherein parent that the plant is generic for any function that is under the levels of control have large or inconse uential levels of incontrol, this for example being pitch rate or acceleration ofan teraction. Systems of the above-mentioned types have found aircraft, temperature or pressure and the like of a process, etc. significant utility in the art, such systems being disclosed in the The control system of the present invention, as'shown in the g preferred embodiment, includes three selforganizing control Pat. No. 3,460,096 filed July 14, I966 for self organizin systems connected in parallel. For reasons to be described Control System and Ser. No. 61 1,143, filed Sept. 29. 1967 for hereinbelow. the number of such parallel lelf-orsmilins Self-Organizing Control System for Providing Multiple-Goal tml units can be increased as dec'r the Iimifins factor being Multiple-Actuator ControLnowLLS. Pat. No. 3,$l9.998 these m rely n of economies and the system using three units applications beingcorporated herein in theirentirety by bills p yreference. While self-organizing control systemsot these types As shown in FIG. I. the command signal C is appliedv to a operate efticiently, there is always possibility of failure pl al y of m ing circuits 3. and 7. e om n ig l which is inherent in any system, It is r um wh ta being summed with the output X- from the sensors 9 which systems are being controlled substantially entirely by a self-or. are shown remote from the plant]. It should be unganizing control system, it is highly desirable a d, time so derltood. assetforth in the above copending appliminimum. plant I. As described in thc'above identified copending appli- In accordance with the present invention, there is provid d cations. the output of the summing circuit 3 is an error signal a self-organizing control system having a plurality of self-ore, which is applied to'pert'onnance'assessntent unit II to prog n na ontrollers connected in paralleheaeh responsive to vide an out ut value signal V,. In the preferred embodiment, the same controland measured response variables, to provide the t": r Will 56 I 8 Whfll the w actuator excitation signals. These actuator excitation signal operating in proper manner and will be a logical "one" when are then summed to provide the actuation signal for the plant the system performance is regressive. Therefore, a logical one control. Each of the parallelled self-organia'ng control units is applied to the OR gate 17 will be indicative of regressive acconstantly monitored whereby the systems are compared and 40 tion by thcsystem and cause the actuation control logic circuit any single one of these systems not comparing with the results 23 to change operation' in the manner described in the above of lhe t is initially coerced to operate correctly. if such identified copending applications. It can be seen that, in the operation is not corrected within a predetennined time delay event a logical "one" is applied to the "punish" line 29, the period, a failure gnal is provided and the particular retrj-or- 0R s willeenfinuslly pp y a tu to the motion ganiring control uniais inhibited from operation and removed control indicative of regressive system action and from the control system. Simultaneously, the outputs from-the thereby attempt to coerce the self-organidng control unit other self-organizing control systems are increased by a number-one (having subscripts i) into proper operation. The predetermined amount to otfset the signal loss due to the same manner ofoperstion will beprovided i'n theself-organizremoval of the f selforganizing control unit from the ing control systems 1 having subscripts 2 (including persystem. In this manner, the system can continue to operate la formance assessment unit 13) and 3 asset forth in FIG. I. long as more than two, preferably, and even two of the self-or- Under normal system operation, each of the actuationconganizing control units are operating properly and system trol logic units 25 and 27 will provide its output control failure of a self-organizing control unit, an odd number of no! control line31 as the U, signal to control the plant 1. The units is always maintained operative. Therefore, upon failure control signals U U, and U, will also be applied to a comand removal of one faulty unit, a second operative unit must parison logic circuit 39, which will be described in greater also be removed from the system. detail hetelnbelow, wherein these command signals are com- It is therefore an object of th'u invention to provide a redunpared to determine if the systems are operating properly. in dant self-organizing control system capable of removing faulty the event of a fault which is detected therein, an output units from the system. punishment signal Pl, P2 or P3 is provided along the lines 29.

It is a further object of this invention to provide a self-or- SI and J3 and fed to the respective OR gates 17, t9 and 21 to ganizing control system capable of coercing faulty units into attempt to coerce the improperly operating self-organizing proper operation. control unit into proper operation. In the event that, after a it is a still further object of this invention to provide a selfpredetermined time delay, the punishment signals P are unaorganizing control system capable of operating without failure ble to coerce their associated self-organizing control unit into as long as more than two, preferably, or as long as two units of proper operation, a disconnect is provided and the entire selfthe system are operable. organising control unit under faulty operation will be discon- The above objects and still further objects of the invention nected from the circuit and the summation circuit 35 will auwill immediately become apparent to those skilled in the art tomatleally be adjusted to increase the level of the signals after consideration of the following preferred embodiment of received from the remaining properly operating control the invention which is provided by way ofssampte and not by systems. In this manner, it is possible to remove an improperly way of lintltstlon. wh'ereln; operating system from the circuit and continue ration with FIG. l is a block diagram of a redundant self-organising the remaining properly operating systems,-thls ng done on a control system in accordance with the present invention; majority rule basis.

It should be understood that, in the event a plurality of units, such as, for example, five self-organizing'control units, were being utilized in parallel it would always be necessary to retain an odd number of operating units in order to provide the majority control system if such operation is desired. For this reason, it may be desirable to remove an even number of self-organizing control units from the circuit whenever a faulty unit is to be disconnected. Under these circumstances, assuming five parallel units are being used, upon the indication of a first faulty system and disconnect. two of the units would be removed from the circuit, leaving three. Upon the next indication of a faulty circuit, it would be necessary to remove two additional circuits, thereby leaving one circuit for operation. However, since at this time only two of the five originally operating units have been found to be defective, the unit which was operational but removed along with the first faulty unit to the located can now be returned to the circuit, thereby providing three operational self-organizing control units and allowing the system to continue operation until the next failure is provided. In this manner, it can be seen that the number of failures which the system can handle before shutdown is equal to the number of parallel self-organizing control units in the system minus two. This will be explained in more detail hereinbelow.

Referring now to FIG. 2, there is shown a portion of the comparison logic circuitry 39 of FIG. I. FIG. 2 includes three identical circuits, each responsive for operation with an associated self-organizing control unit of FIG. I. The uppermost circuit is designed to provide a punishment signal Pl in the event that the use of one command signal is not the same as those emanating from the actuation control logic circuits 25 and 27. In the event, for example, that the U signal is different from the U, and the U, signals, one of the AND gates 41 and 43 will be opened and provide a signal to the OR gate 53 for providing a punishment signal Pl to coerce the self-organizing control unit I and, specifically, actuation control logic 23 thereof into proper operation. During this coercion time, the output of OR gate 53 will be applied to the integrator 59. The integrator will be charged u until such time as the self-organizing control unit number I is coerced into proper operation by the punishment signal Pl. In the event that the integrator 59 is charged up to a predetermined threshold value prior to coercion or self-organizing control unit number I into proper operation, the comparator circuit 61 will provide a trigger signal to set the flip-flop 63 and thereby provide a disconnect signal D, to disconnect the self-organizing control unit number I from the system in a manner to be described in more detail hereinbelow. It can be seen that the remaining circuits of FIG. 2 comprising the elements 45, 47, 49, t, 55 and 57 will operate in the identical manner for the self-organizing control unit 2 and 3.

FIG. 3 is a warning and failure circuit wherein a warning signal is present when any one of the disconnect signals D,, D, or D, is provided by failure of the associated self-organizing control unit. A failure signal is provided when any two of the three disconnect signals is provided simultaneously, indicating that two of the three units are operating improperly.

Referring now to FIG. 4, there is shown relay circuitry controlled by the disconnect signals D,, D and D, Each of the disconnect signals operates a l, circuit associated with the self-organizing controller of identical subscript. For example, upon the existence of a disconnect signal D,. a signal will be provided to the transistor 65 and I, operation of the relay 67 indicated as K, In the same manner, a disconnect signal D, will operate the relay 69 indicated as K, and a disconnect signal D, will operate the relay 71 indicated as I(,.

Referring now to FIG. 5, there is shown a circuit diagram which corresponds to the summing circuit 35 of FIG. I. It can be seen that each of the control signals U,, U, and U; is pro vided along a separate input line. The relay contacts 73, 75 and 77 are normally closed, thereby allowing their respective signals U,, U, and U to pass to the U line. The relay contacts marked '79, II, 83, I5 87 and 89 are normally open and are closed upon operation of the corresponding relay (FIG. 4) to rovide a shunting path around the resistors 91, 93, and 95. It can be seen that under normal system operation, each of the signals U,, U, and U, will be added and passed through the amplifier I09 and the normally closed relay contacts 97, 99, I01, I03, I05 and I07 to the output channel U,.,,. Upon operation of the disconnect signal, for example, DI, the relay 67 will be operated and act upon all the K, switches. Accordingly, the switch 73 will be open, thereby eliminating U, from the output channel U,.,,. At the same time, the signals provided by U2 and U3 will be enhanced by operation of the switches and 8'7 which will now be closed and thereby shunt the resistors 93 and 95, thereby decreasing the impedance in the patch and increasing the signal applied to the amplifier 109. The ratio of resistance between resistors III and 9I will be 2 to l, resistor III having twice the resistance of resistor 91. The resistance values 91, 93 and 95 will be identical with each other as will resistance values of resistors III, I13 and IIS be identical with each other.

The switches 97, 99, I01, I03, and 107 are provided to remove all the self-organizing control units from the network in the event that two of the three systems shown fail. It can be seen that the switches are arranged such that an open circuit is provided between the amplifier I09 and the output channel U for every possible combination of two of the three self-organizing control units. In this manner, it can be seen that the control signals are enhanced whenever one of the self-organizing control units is eliminated from the circuit due to failure, and that the entire self-organizing control system is removed from the circuit upon failure of two out of the three units. It is, of course, apparent to those skilled in the art that the above described system can be expanded to encompass more than three parallel units and such units are included herein as obvious modifications of the disclosed specific embodiment of the invention.

As stated previously, in order to provide a system capable of operating on a majority basis, it is necessary to remove an operating self'organizing control unit from the system when an inoperative unit is removed to maintain an odd number of parallelled units on line. To provide a circuit capable of performing the above described operation, and assuming, by way of example only, that the system includes five parallel self-organizing control units, the binary level output of each unit is continuously monitored and compared to the output of the four other units to detect variance from the majority. The only requirement is that the output be binary in nature or, if analog, that they be signum detected and this binary level signum U, be used as U, in a logic system. If over some period of time (determined by the time constant of a lag circuit 59) a given branch continues to disagree with the majority, it is disconnected from the system. As a consequence of this disconnection, another branch is arbitrarily selected and disconnected to leave a system with an odd number of branches, i.e., three. Comparison of individual output signals with that of the majority continues. In the event another branch is judged a failure, it is disconnected and the branch previously disconnected to preserve an odd number of branches is reconnected to the system. Thus, two units failed and were disconnected and three units still are on line. Comparison continues as before. If new a third branch is deemed a failure, it is disconnected and the two remaining carry the load. A continued disagreement between the remaining two branches will result in total system shutoff and failure indicator. The gain of the U signal summer can readily be modified in relation to the number of branches on line to preserve overall loop gain, as was done with the three branch system as described in FIGS. 4 and 5.

The circuitry of the above described system would be as set forth in the following Boolean equations which fully describe the required circuit.

Assuming the following definitions:

U lbinary level output signal of lth branch P, E logic signal indicator that lth branch disagrees with majority D logic signal indicator that ith branch is assumed to have failed and has been disconnected (irreversible except by reset) D logic signal indicator that i'th branch has been disconnected from system to preserve odd number of branches (r evcrsible) D," Drl-D hence D."=D,XD, W EWarning indicator for single branch failure w awarning indicator for double branch failure W, Warning indicator for triple branch failure FEFailure indicator, at least four branch failures The D. term is to assure P. remains low during the period that the ith branch has been disconnected to preserve an odd number of branches.

The above equations fully set forth the required circuitry to perform the above described operations for a typical five branch system. 4

Though the invention has been described with respect to a specific preferred embodiment thereof, many variations and modifications thereof will immediately become apparent to those skilled in the art. It is therefore the intention that the appended claims be interpreted as broadly as possible in view of the prior art to include all such variations and modifications.

We claim:

I. A self-checking control system which comprises an odd plurality of control devices, said control devices acting in parallel with each other to provide a control output, and means responsive to a fault in one of said control devices for removing said one of said control devices and an additional one of said control devices from said system.

2. A self-checking control system as set forth in claim 1 further including means responsive to a second faulty device for removing said second faulty device from said system and replacing said additional one of said devices into said system.

3. A self-checking control system as set forth in claim 1 further including means responsive to removal of said devices from said system for increasing the output of the remaining ones of said odd plurality of control devices to retain the level of said control output.

4. A self-checking control system as set forth in claim 2 further including means responsive to removal of said devices from said system for increasing the output of the remaining ones of said odd plurality of control devices to retain the level of said control output.

5. A self checking control system as set forth in claim 1 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.

6. A self-checking control system as set forth in claim 2 further includin means responsive to the existence of only two nonfaulty evices for retaining sa|d system in operation and means responsive to a nonmatch of said two devices for shutting down said system.

7. A self-checking control system as set forth in claim 3 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down system.

8. A self-checking control system as set forth in claim 4 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.

9. A self-checking control system which comprises a plurality of control devices acting in parallel to provide a single control signal, means responsive to the faulty operation of any one of said control devices to coerce said one of said control devices into proper operation and means responsive to a predetermined time length of faulty operation of said one of said control devices for shutting down said one of said control devices.

10. A self-checking control system as set forth in claim 9 wherein an odd plurality of said devices is present in said system.

11. A self-checking control system as set forth in claim 10 wherein said means responsive to faulty operation in one of said control devices for shutting down said device also removes an additional one of said control devices from said system.

12. A self-checking control system as set forth in claim 11 further including means responsive to a second faulty device for removing said second faulty device from said system and replacing said additional one of said devices into said system.

13. A self-checking control system as set forth in claim ll further including means responsive to removal of said devices from said system for increasing the output of the remaining devices to retain the level of said control signal.

14. A self-checking control system as set forth in claim 12 further including means responsive to removal of said devices from said system for increasing the output of the ones of said devices operating in said system to retain the level of said control signal.

15. A self-checking control system as set forth in claim it further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.

16. A self-checking control system as set forth in claim 12 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.

17. A self-checking control system as set forth in claim 13 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.

18. A self-checking control system as set forth in claim 14 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system. 

1. A self-checking control system which comprises an odd plurality of control devices, said control devices acting in parallel with each other to provide a control output, and means responsive to a fault in one of said control devices for removing said one of said control devices and an additional one of said control devices from said system.
 2. A self-checking control system as set forth in claim 1 further including means responsive to a second faulty device for removing said second faulty device from said system and replacing said additional one of said devices into said system.
 3. A self-checking control system as set forth in claim 1 further including means responsive to removal of said devices from said system for increasing the output of the remaining ones of said odd plurality of control devices to retain the level of said control output.
 4. A self-checking control system as set forth in claim 2 further including means responsive to removal of said devices from said system for increasing the output of the remaining ones of said odd plurality of control devices to retain the level of said control output.
 5. A self-checking control system as set forth in claim 1 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.
 6. A self-checking control system as set forth in claim 2 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.
 7. A self-checking control system as set forth in claim 3 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down system.
 8. A self-checking control system as set forth in claim 4 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.
 9. A self-checking control system which comprises a plurality of control devices acting in parallel to provide a single control signal, means responsive to the faulty operation of any one of said control devices to coerce said one of said control devices into proper operation and means responsive to a predetermined time length of faulty operation of said one of said control devices for shutting down said one of said control devices.
 10. A self-checking control system as set forth in claim 9 wherein an odd plurality of said devices is present in said system.
 11. A self-checking control system as set forth in claim 10 wherein said means responsive to faulty operation in one of said control devices for shutting down said device also removes an additional one of said control devices from said system.
 12. A self-checking control system as set forth in claim 11 further including means responsive to a second faulty device for removing said second faulty device from said system and replacing said additional one of said devices into said system.
 13. A self-checking control system as set forth in claim 11 further including means responsive to removal of said devices from said system for increasing the output of the remaining devices to retain the level of said control signal.
 14. A self-checking control system as set forth in claim 12 further including means responsive to removal of said devices from said system for increasing the output of the ones of said devices operating in said system to retain the level of said control signal.
 15. A self-checking control system as set forth in claim 11 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.
 16. A self-checking control system as set forth in claim 12 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.
 17. A self-checking control system as set forth in claim 13 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system.
 18. A self-checking control system as set forth in claim 14 further including means responsive to the existence of only two nonfaulty devices for retaining said system in operation and means responsive to a nonmatch of said two devices for shutting down said system. 